From 9c8ecaafe5af428b0c8f1e0d943b0c17aa93049c Mon Sep 17 00:00:00 2001 From: David Robertson Date: Wed, 9 Feb 2022 17:32:28 +0000 Subject: [PATCH 1/7] Dockerfile that builds with poetry To test: ``` DOCKER_BUILDKIT=1 docker build . -t sydent && docker run sydent ``` To inspect the container while it's running, get the container id with `docker ps` and then: ``` $ docker exec -it 001f9bfc6a54 bash sydent@001f9bfc6a54:/home/sydent$ ls src venv sydent@001f9bfc6a54:/home/sydent$ ls src README.rst poetry.lock pyproject.toml requirements.txt res scripts sydent sydent@001f9bfc6a54:/home/sydent$ ls venv bin lib pyvenv.cfg ``` --- Dockerfile | 61 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 35 insertions(+), 26 deletions(-) diff --git a/Dockerfile b/Dockerfile index 778921ef..60629479 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,35 +1,43 @@ +# This Dockerfile installs Sydent from source, which is assumed to be in the current +# working directory. The resulting image contain a single "sydent" user, and populates +# their home area with "src" and "venv" directories. The entrypoint runs Sydent, +# listening on port 8090. # -# Step 1: Build sydent and install dependencies -# -FROM docker.io/python:3.8-slim as builder +# Users must provide a persistent volume available to the container as `/data`. This +# will contain Sydent's configuration and database. A blank configuration and database +# file is created the first time Sydent runs. -# Install dev packages -RUN apt-get update && apt-get install -y \ - build-essential +# Step 1: install dependencies +FROM docker.io/python:3.8-slim as builder # Add user sydent RUN addgroup --system --gid 993 sydent \ - && adduser --disabled-password --home /sydent --system --uid 993 --gecos sydent sydent \ - && echo "sydent:$(dd if=/dev/random bs=32 count=1 | base64)" | chpasswd + && adduser --disabled-password --system --uid 993 --gecos sydent sydent +USER sydent:sydent -# Copy resources -COPY --chown=sydent:sydent ["res", "/sydent/res"] -COPY --chown=sydent:sydent ["scripts", "/sydent/scripts"] -COPY --chown=sydent:sydent ["sydent", "/sydent/sydent"] -COPY --chown=sydent:sydent ["README.rst", "setup.cfg", "setup.py", "/sydent/"] +# Install poetry +RUN pip install --user poetry==1.1.12 + +# Copy source code and resources +WORKDIR /home/sydent/src +COPY --chown=sydent:sydent ["res", "res"] +COPY --chown=sydent:sydent ["scripts", "scripts"] +COPY --chown=sydent:sydent ["sydent", "sydent"] +COPY --chown=sydent:sydent ["README.rst", "pyproject.toml", "poetry.lock", "./"] # Install dependencies -USER sydent -WORKDIR /sydent -RUN pip install --user --upgrade pip setuptools sentry-sdk prometheus_client \ - && pip install --user . \ - && rm -rf /sydent/.cache \ - && find /sydent -name '*.pyc' -delete +RUN python -m poetry install --no-dev --no-interaction -# -# Step 2: Reduce image size and layers -# +# Record dependencies for posterity +RUN python -m poetry export -o requirements.txt + +# Make the virtualenv accessible for the final image +RUN ln -s $(python -m poetry env info -p) /home/sydent/venv + +# Nuke bytecode files to keep the final image slim. +RUN find /home/sydent/venv -type f -name '*.pyc' -delete +# Step 2: Create runtime image FROM docker.io/python:3.8-slim # Add user sydent and create /data directory @@ -39,15 +47,16 @@ RUN addgroup --system --gid 993 sydent \ && mkdir /data \ && chown sydent:sydent /data -# Copy sydent -COPY --from=builder ["/sydent", "/sydent"] +# Copy sydent and the virtualenv +COPY --from=builder ["/home/sydent/src", "/home/sydent/src"] +COPY --from=builder ["/home/sydent/venv", "home/sydent/venv"] ENV SYDENT_CONF=/data/sydent.conf ENV SYDENT_PID_FILE=/data/sydent.pid ENV SYDENT_DB_PATH=/data/sydent.db -WORKDIR /sydent USER sydent:sydent VOLUME ["/data"] EXPOSE 8090/tcp -CMD [ "python", "-m", "sydent.sydent" ] +WORKDIR /home/sydent +CMD [ "venv/bin/python", "-m", "sydent.sydent" ] From 44627128a7b03f9ca16312807dcb6dd12facf047 Mon Sep 17 00:00:00 2001 From: David Robertson Date: Wed, 9 Feb 2022 17:51:28 +0000 Subject: [PATCH 2/7] Changelog --- changelog.d/493.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/493.misc diff --git a/changelog.d/493.misc b/changelog.d/493.misc new file mode 100644 index 00000000..b04987a7 --- /dev/null +++ b/changelog.d/493.misc @@ -0,0 +1 @@ +Update Dockerfile to use a fixed poetry environment, rather than `pip install`ing the latest dependencies. \ No newline at end of file From e9fc715907f40884f14f478d5005dd0ec88153bd Mon Sep 17 00:00:00 2001 From: David Robertson Date: Wed, 9 Feb 2022 18:27:54 +0000 Subject: [PATCH 3/7] Don't rearrange lines unnecessarily --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 60629479..41cbd988 100644 --- a/Dockerfile +++ b/Dockerfile @@ -55,8 +55,8 @@ ENV SYDENT_CONF=/data/sydent.conf ENV SYDENT_PID_FILE=/data/sydent.pid ENV SYDENT_DB_PATH=/data/sydent.db +WORKDIR /home/sydent USER sydent:sydent VOLUME ["/data"] EXPOSE 8090/tcp -WORKDIR /home/sydent CMD [ "venv/bin/python", "-m", "sydent.sydent" ] From 86be24f69688e901959e5e0887170b9f60da7e14 Mon Sep 17 00:00:00 2001 From: David Robertson Date: Thu, 10 Feb 2022 12:00:28 +0000 Subject: [PATCH 4/7] Update Dockerfile Co-authored-by: reivilibre --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 41cbd988..7a04bc98 100644 --- a/Dockerfile +++ b/Dockerfile @@ -49,7 +49,7 @@ RUN addgroup --system --gid 993 sydent \ # Copy sydent and the virtualenv COPY --from=builder ["/home/sydent/src", "/home/sydent/src"] -COPY --from=builder ["/home/sydent/venv", "home/sydent/venv"] +COPY --from=builder ["/home/sydent/venv", "/home/sydent/venv"] ENV SYDENT_CONF=/data/sydent.conf ENV SYDENT_PID_FILE=/data/sydent.pid From 0bcbf2c3df2a8c6eca796ca3de50065262cae236 Mon Sep 17 00:00:00 2001 From: David Robertson Date: Thu, 10 Feb 2022 12:00:32 +0000 Subject: [PATCH 5/7] Update Dockerfile Co-authored-by: Shay --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7a04bc98..fc565b7f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # This Dockerfile installs Sydent from source, which is assumed to be in the current -# working directory. The resulting image contain a single "sydent" user, and populates +# working directory. The resulting image contains a single "sydent" user, and populates # their home area with "src" and "venv" directories. The entrypoint runs Sydent, # listening on port 8090. # From a2d467fec75d0657aeb345910c1223cf7c219f8b Mon Sep 17 00:00:00 2001 From: David Robertson Date: Thu, 10 Feb 2022 14:14:25 +0000 Subject: [PATCH 6/7] Use `--disabled-login` and don't set a password --- Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index fc565b7f..aa5b3c37 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ FROM docker.io/python:3.8-slim as builder # Add user sydent RUN addgroup --system --gid 993 sydent \ - && adduser --disabled-password --system --uid 993 --gecos sydent sydent + && adduser --disabled-login --system --uid 993 --gecos sydent sydent USER sydent:sydent # Install poetry @@ -42,8 +42,7 @@ FROM docker.io/python:3.8-slim # Add user sydent and create /data directory RUN addgroup --system --gid 993 sydent \ - && adduser --disabled-password --home /sydent --system --uid 993 --gecos sydent sydent \ - && echo "sydent:$(dd if=/dev/random bs=32 count=1 | base64)" | chpasswd \ + && adduser --disabled-login --home /sydent --system --uid 993 --gecos sydent sydent \ && mkdir /data \ && chown sydent:sydent /data From 3e7f3ca97c4455a1e30926e56bc9f5b77d8432a2 Mon Sep 17 00:00:00 2001 From: David Robertson Date: Thu, 10 Feb 2022 14:14:41 +0000 Subject: [PATCH 7/7] Tweak README --- README.rst | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.rst b/README.rst index 394b133a..3753f08c 100644 --- a/README.rst +++ b/README.rst @@ -80,13 +80,11 @@ Docker A Dockerfile is provided for sydent. To use it, run ``docker build -t sydent .`` in a sydent checkout. To run it, use ``docker run --env=SYDENT_SERVER_NAME=my-sydent-server -p 8090:8090 sydent``. -Caution: All data will be lost when the container is terminated! - Persistent data --------------- -By default, all data is stored in ``/data``. -The best method is to put the data in a Docker volume. +By default, all data is stored in ``/data``. To persist this to disk, bind `/data` to a +Docker volume. .. code-block:: shell